|
| 1 | +- name: cloud |
| 2 | + title: Cloud |
| 3 | + group: 2 |
| 4 | + description: Fields related to the cloud or infrastructure the events are coming from. |
| 5 | + footnote: 'Examples: If Metricbeat is running on an EC2 host and fetches data from its host, the cloud info contains the data about this machine. If Metricbeat runs on a remote machine outside the cloud and fetches data from a service running in the cloud, the field contains cloud data from the machine the service is running on.' |
| 6 | + type: group |
| 7 | + fields: |
| 8 | + - name: account.id |
| 9 | + level: extended |
| 10 | + type: keyword |
| 11 | + ignore_above: 1024 |
| 12 | + description: 'The cloud account or organization id used to identify different entities in a multi-tenant environment. |
| 13 | +
|
| 14 | + Examples: AWS account id, Google Cloud ORG Id, or other unique identifier.' |
| 15 | + example: 666777888999 |
| 16 | + - name: availability_zone |
| 17 | + level: extended |
| 18 | + type: keyword |
| 19 | + ignore_above: 1024 |
| 20 | + description: Availability zone in which this host is running. |
| 21 | + example: us-east-1c |
| 22 | + - name: instance.id |
| 23 | + level: extended |
| 24 | + type: keyword |
| 25 | + ignore_above: 1024 |
| 26 | + description: Instance ID of the host machine. |
| 27 | + example: i-1234567890abcdef0 |
| 28 | + - name: instance.name |
| 29 | + level: extended |
| 30 | + type: keyword |
| 31 | + ignore_above: 1024 |
| 32 | + description: Instance name of the host machine. |
| 33 | + - name: machine.type |
| 34 | + level: extended |
| 35 | + type: keyword |
| 36 | + ignore_above: 1024 |
| 37 | + description: Machine type of the host machine. |
| 38 | + example: t2.medium |
| 39 | + - name: provider |
| 40 | + level: extended |
| 41 | + type: keyword |
| 42 | + ignore_above: 1024 |
| 43 | + description: Name of the cloud provider. Example values are aws, azure, gcp, or digitalocean. |
| 44 | + example: aws |
| 45 | + - name: region |
| 46 | + level: extended |
| 47 | + type: keyword |
| 48 | + ignore_above: 1024 |
| 49 | + description: Region in which this host is running. |
| 50 | + example: us-east-1 |
| 51 | + - name: project.id |
| 52 | + type: keyword |
| 53 | + description: Name of the project in Google Cloud. |
| 54 | + - name: image.id |
| 55 | + type: keyword |
| 56 | + description: Image ID for the cloud instance. |
| 57 | +- name: container |
| 58 | + title: Container |
| 59 | + group: 2 |
| 60 | + description: 'Container fields are used for meta information about the specific container that is the source of information. |
| 61 | +
|
| 62 | + These fields help correlate data based containers from any runtime.' |
| 63 | + type: group |
| 64 | + fields: |
| 65 | + - name: id |
| 66 | + level: core |
| 67 | + type: keyword |
| 68 | + ignore_above: 1024 |
| 69 | + description: Unique container id. |
| 70 | + - name: image.name |
| 71 | + level: extended |
| 72 | + type: keyword |
| 73 | + ignore_above: 1024 |
| 74 | + description: Name of the image the container was built on. |
| 75 | + - name: labels |
| 76 | + level: extended |
| 77 | + type: object |
| 78 | + object_type: keyword |
| 79 | + description: Image labels. |
| 80 | + - name: name |
| 81 | + level: extended |
| 82 | + type: keyword |
| 83 | + ignore_above: 1024 |
| 84 | + description: Container name. |
| 85 | +- name: host |
| 86 | + title: Host |
| 87 | + group: 2 |
| 88 | + description: 'A host is defined as a general computing instance. |
| 89 | +
|
| 90 | + ECS host.* fields should be populated with details about the host on which the event happened, or from which the measurement was taken. Host types include hardware, virtual machines, Docker containers, and Kubernetes nodes.' |
| 91 | + type: group |
| 92 | + fields: |
| 93 | + - name: architecture |
| 94 | + level: core |
| 95 | + type: keyword |
| 96 | + ignore_above: 1024 |
| 97 | + description: Operating system architecture. |
| 98 | + example: x86_64 |
| 99 | + - name: domain |
| 100 | + level: extended |
| 101 | + type: keyword |
| 102 | + ignore_above: 1024 |
| 103 | + description: 'Name of the domain of which the host is a member. |
| 104 | +
|
| 105 | + For example, on Windows this could be the host''s Active Directory domain or NetBIOS domain name. For Linux this could be the domain of the host''s LDAP provider.' |
| 106 | + example: CONTOSO |
| 107 | + default_field: false |
| 108 | + - name: hostname |
| 109 | + level: core |
| 110 | + type: keyword |
| 111 | + ignore_above: 1024 |
| 112 | + description: 'Hostname of the host. |
| 113 | +
|
| 114 | + It normally contains what the `hostname` command returns on the host machine.' |
| 115 | + - name: id |
| 116 | + level: core |
| 117 | + type: keyword |
| 118 | + ignore_above: 1024 |
| 119 | + description: 'Unique host id. |
| 120 | +
|
| 121 | + As hostname is not always unique, use values that are meaningful in your environment. |
| 122 | +
|
| 123 | + Example: The current usage of `beat.name`.' |
| 124 | + - name: ip |
| 125 | + level: core |
| 126 | + type: ip |
| 127 | + description: Host ip addresses. |
| 128 | + - name: mac |
| 129 | + level: core |
| 130 | + type: keyword |
| 131 | + ignore_above: 1024 |
| 132 | + description: Host mac addresses. |
| 133 | + - name: name |
| 134 | + level: core |
| 135 | + type: keyword |
| 136 | + ignore_above: 1024 |
| 137 | + description: 'Name of the host. |
| 138 | +
|
| 139 | + It can contain what `hostname` returns on Unix systems, the fully qualified domain name, or a name specified by the user. The sender decides which value to use.' |
| 140 | + - name: os.family |
| 141 | + level: extended |
| 142 | + type: keyword |
| 143 | + ignore_above: 1024 |
| 144 | + description: OS family (such as redhat, debian, freebsd, windows). |
| 145 | + example: debian |
| 146 | + - name: os.kernel |
| 147 | + level: extended |
| 148 | + type: keyword |
| 149 | + ignore_above: 1024 |
| 150 | + description: Operating system kernel version as a raw string. |
| 151 | + example: 4.4.0-112-generic |
| 152 | + - name: os.name |
| 153 | + level: extended |
| 154 | + type: keyword |
| 155 | + ignore_above: 1024 |
| 156 | + multi_fields: |
| 157 | + - name: text |
| 158 | + type: text |
| 159 | + norms: false |
| 160 | + default_field: false |
| 161 | + description: Operating system name, without the version. |
| 162 | + example: Mac OS X |
| 163 | + - name: os.platform |
| 164 | + level: extended |
| 165 | + type: keyword |
| 166 | + ignore_above: 1024 |
| 167 | + description: Operating system platform (such centos, ubuntu, windows). |
| 168 | + example: darwin |
| 169 | + - name: os.version |
| 170 | + level: extended |
| 171 | + type: keyword |
| 172 | + ignore_above: 1024 |
| 173 | + description: Operating system version as a raw string. |
| 174 | + example: 10.14.1 |
| 175 | + - name: type |
| 176 | + level: core |
| 177 | + type: keyword |
| 178 | + ignore_above: 1024 |
| 179 | + description: 'Type of host. |
| 180 | +
|
| 181 | + For Cloud providers this can be the machine type like `t2.medium`. If vm, this could be the container, for example, or other information meaningful in your environment.' |
| 182 | + - name: containerized |
| 183 | + type: boolean |
| 184 | + description: > |
| 185 | + If the host is a container. |
| 186 | +
|
| 187 | + - name: os.build |
| 188 | + type: keyword |
| 189 | + example: "18D109" |
| 190 | + description: > |
| 191 | + OS build information. |
| 192 | +
|
| 193 | + - name: os.codename |
| 194 | + type: keyword |
| 195 | + example: "stretch" |
| 196 | + description: > |
| 197 | + OS codename, if any. |
| 198 | +
|
0 commit comments